Description

The nsslapd-plugin attribute on cn=config is multi-valued, read-only attribute lists the syntaxes and matching rules loaded by the server. This manual page covers server plug-in configuration, rather than the nsslapd-plugin attribute.

In most circumstances, you configure plug-in functionality using the dsconf(1M) command. See plugin(5dsconf) for a list of configurable properties.

ATTRIBUTES FOR PLUG-IN CONFIGURATION ENTRIES

The following list covers each plug-in configuration entry attribute.

nsslapd-plugin-depends-on-named

This is a multivalued attribute, used to ensure that plug-ins are called by the server in the correct order. It takes a value that corresponds to the cn value of a plug-in. The plug-in whose cn value matches one of the values below it is started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start.

Entry DN

cn=pluginName,cn=plugins, cn=config

Valid Range

Plug-in name

Default Value

None

Syntax

DirectoryString

Example

nsslapd-plugin-depends-on-named: Class of Service

nsslapd-plugin-depends-on-type

This is a multivalued attribute, used to ensure that plug-ins are called by the server in the correct order. It takes a value that corresponds to the type of a plug-in, contained in the attribute nsslapd-pluginType, and requires that plug-ins of that type are started before the present plug-in.

Entry DN

cn=pluginName,cn=plugins, cn=config

Valid Range

Plug-in type

Default Value

None

Syntax

DirectoryString

Example

nsslapd-plugin-depends-on-type: database

nsslapd-pluginDescription

Provides a description of the plug-in.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

Any DirectoryString

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginDescription: acl access check plug-in

nsslapd-pluginEnabled

Specifies whether or not the plug-in is enabled. This attribute can
be changed over protocol, but will only take effect when the server is next
restarted.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-pluginEnabled: on

nsslapd-pluginId

Specifies the plug-in ID.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

Any valid plug-in ID.

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginId: chaining database

nsslapd-pluginInitfunc

Specifies the plug-in function to be initiated.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

Any valid plug-in function.

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginInitfunc: NS7bitAttr_Init

nsslapd-pluginPath

Specifies the full path to the plug-in.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

Any valid path

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginPath: /opt/SUNWdsee/ds6/lib/uid-plugin.so

nsslapd-pluginType

Specifies the plug-in type.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

Any valid plug-in type.

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginType: preoperation

nsslapd-pluginVendor

Specifies the vendor of the plug-in.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

Any approved plug-in vendor.

Default Value

Sun Microsystems, Inc.

Syntax

DirectoryString

Example

nsslapd-pluginVendor: Sun Microsystems, Inc.

nsslapd-pluginVersion

Specifies the plug-in version.

Entry DN

cn=pluginName,cn=plugins,cn=config

Valid Range

Any valid plug-in version.

Default Value

Product version

Syntax

DirectoryString

Example

nsslapd-pluginVersion: 6.0

7-BIT CHECK PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

7-Bit Check (NS7bitAttr)

DN of Configuration Entry

cn=7-bit check,cn=plugins,cn=config

Description

Checks certain attributes are seven-bit clean.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

List of attributes, uid mail userpassword,
followed by a comma, and then by the suffix or suffixes
on which the check is to occur.

Dependencies

None

Performance Related Information

None

Further Information

If your Directory Server uses non-ASCII characters such
as Japanese and other languages for some attributes, remove those attributes
from the list of attributes checked by this plug-in.

When adding or modifying an attribute value checked by this plug-in,
and the new value violates the seven-bit check, the client receives a LDAP_CONSTRAINT_VIOLATION (19) return code, and a message such as the following: Value
of attributeattrcontains extended
(8-bit) characters:value

ACL PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

ACL Plugin

DN of Configuration Entry

cn=ACL Plugin,cn=plugins,cn=config

Description

ACL access check plug-in

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Leave this plug-in running at all times.

ACL PREOPERATION PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

ACL preoperation

DN of Configuration Entry

cn=ACL preoperation,cn=plugins,cn=config

Description

ACL access check plug-in.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

Database

Performance Related Information

Leave this plug-in running at all times.

BINARY SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Binary Syntax

DN of Configuration Entry

cn=Binary Syntax,cn=plugins,cn=config

Description

Syntax for handling binary data.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

BOOLEAN SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Boolean Syntax

DN of Configuration Entry

cn=Boolean Syntax,cn=plugins,cn=config

Description

Syntax for handling booleans.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

CASE EXACT STRING SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Case Exact String Syntax

DN of Configuration Entry

cn=Case Exact String Syntax,cn=plugins,cn=config

Description

Syntax for handling case-sensitive strings.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

CASE IGNORE STRING SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Case Ignore String Syntax

DN of Configuration Entry

cn=Case Ignore String Syntax,cn=plugins,cn=config

Description

Syntax for handling case-insensitive strings.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

CHAINING DATABASE PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Chaining Database

DN of Configuration Entry

cn=Chaining database,cn=plugins,cn=config

Description

Syntax for handling DNs.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

CLASS OF SERVICE PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Class of Service

DN of Configuration Entry

cn=Class of Service,cn=plugins,cn=config

Description

Allows for sharing of attributes between entries.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

Set the nsslapd-pluginarg0 attribute to:

0 (default) to enable fast lookup of classic
CoS templates

1 to disable fast lookup for classic CoS
template selection

2 to disable checks for ambiguous pointer
and classic CoS definitions

Ambiguous definitions result when
more than one value could be returned for the same attribute of the same entry.
When checking remains enabled, Directory Server logs an informational message
upon encountering such an ambiguity, provided you have set the log level to
allow plug-ins to log informational messages.

3 to disable both

Restart Directory Server for modifications to take effect.

Dependencies

None

Performance Related Information

Leave this plug-in running at all times.

COUNTRY STRING SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Country String Syntax

DN of Configuration Entry

cn=Country String Syntax,cn=plugins,cn=config

Description

Syntax for handling countries.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

DISTINGUISHED NAME SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Distinguished Name Syntax

DN of Configuration Entry

cn=Distinguished Name Syntax,cn=plugins,cn=config

Description

Syntax for handling DNs.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

DSML FRONTEND SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Frontend

DN of Configuration Entry

cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins, cn=config

Description

Enables you to access the directory using DSML v2 over SOAP/HTTP.

Configurable Options

on | off

Default Setting

off

Configurable Arguments

ds-hdsml-soapschemalocation

ds-hdsml-dsmlschemalocation

Dependencies

None

Performance Related Information

None

GENERALIZED TIME SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Generalized Time Syntax

DN of Configuration Entry

cn=Generalized Time Syntax,cn=plugins,cn=config

Description

Syntax for dealing with dates, times, and time zones.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

Further Information

The Generalized Time String consists of the four digit year,
two digit month (for example, 01 for January), two digit day, two digit hour,
two digit minute, two digit second, an optional decimal part of a second and
a time zone indication. We strongly recommend that you use the Z time zone
indication (Greenwich Mean Time).

INTEGER SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Integer Syntax

DN of Configuration Entry

cn=Integer Syntax,cn=plugins,cn=config

Description

Syntax for handling integers.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

INTERNATIONALIZATION PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Internationalization Plugin

DN of Configuration Entry

cn=Internationalization Plugin,cn=plugins,cn=config

Description

Syntax for handling DNs.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None. In contrast to previous versions of Directory Server,
the collation orders and locales used by the internationalization plug-in
are now stored in the configuration.

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

LDBM DATABASE PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

ldbm database plug-in

DN of Configuration Entry

cn=ldbm database plug-in,cn=plugins,cn=config

Description

Implements local databases.

Configurable Options

None

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Leave this plug-in running at all times.

MULTIMASTER REPLICATION PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Multimaster Replication Plugin

DN of Configuration Entry

cn=Multimaster Replication plugin,cn=plugins, cn=config

Description

Enables replication between two Directory Server suffixes.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

database

Performance Related Information

None

Further Information

You can turn this plug-in off if you have only one server,
which will never replicate.

OCTET STRING SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Octet String Syntax

DN of Configuration Entry

cn=Octet String Syntax,cn=plugins,cn=config

Description

Syntax for handling octet strings.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

CLEAR PASSWORD STORAGE PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

CLEAR

DN of Configuration Entry

cn=CLEAR,cn=Password Storage Schemes,cn=plugins,
cn=config

Description

CLEAR password storage scheme used for password encryption.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

CRYPT PASSWORD STORAGE PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

CRYPT

DN of Configuration Entry

cn=CRYPT,cn=Password Storage Schemes,cn=plugins,
cn=config

Description

CRYPT password storage scheme used for password encryption.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

NS-MTA-MD5 PASSWORD STORAGE SCHEME PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

NS-MTA-MD5

DN of Configuration Entry

cn=NS-MTA-MD5,cn=Password Storage Schemes, cn=plugins,cn=config

Description

NS-MTA-MD5 password storage scheme for password encryption.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

Further Information

You can no longer choose to encrypt passwords using the NS-MTA-MD5
password storage scheme. The storage scheme is still present, but for backward
compatibility only. The data in your directory still contains passwords encrypted
with the NS-MTA-MD5 password storage scheme.

RMCE PASSWORD STORAGE SCHEME PLUG-IN

This password storage scheme plug-in is used for example by the administration
framework and is reserved for internal use.

SHA PASSWORD STORAGE SCHEME PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

SHA

DN of Configuration Entry

cn=SHA,cn=Password Storage Schemes,cn=plugins, cn=config

Description

SHA password storage scheme for password encryption.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

If there are no passwords encrypted using the SHA password
storage scheme, you may turn this plug-in off. If you want to encrypt your
password with the SHA password storage scheme, choose SSHA instead. SSHA is
a far more secure option.

SSHA PASSWORD STORAGE SCHEME PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

SSHA

DN of Configuration Entry

cn=SSHA,cn=Password Storage Schemes,cn=plugins, cn=config

Description

SSHA password storage scheme for password encryption.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

STRONG PASSWORD CHECK PLUG-IN

When Directory Server is configured to check password quality, and
this plug-in is enabled, the plug-in checks the following each time a password
is added or modified.

Clear text password values contain the classes of characters
specified by the configuration.

Clear text password values do not contain any sequence of
four characters present in the dictionary file specified by the configuration.

Hashed password values such as {SSHA}0Ri1g2yqlH3GTZcuRQ4uS22syCQLBKAU2ypLSw== are not checked.

Consider the following aspects of this plug-in.

Plug-In Name

Strong Password Checking plug-in

DN of Configuration Entry

cn=Strong Password Check,cn=plugins,cn=config

Configurable options and arguments

on | off

nsslapd-pluginarg0, which takes an integer representing
a mask of values representing the character classes that must be present in
a valid password. Set nsslapd-pluginarg0 to one of or a
sum of the following values, not counting the special values 16 and 17.

1 means the password must contain special
characters.

2 means the password must contain numeric
characters.

4 means the password must contain upper
case characters.

8 means the password must contain lower
case characters.

16 is a special value meaning at least
three of the four character classes.

17 is a special value meaning at least
two of the four character classes.

The default setting is 15.

nsslapd-pluginarg1, which takes the absolute file
system path to an ASCII dictionary file. If the argument is missing, the dictionary
check is skipped. The plug-in does not initialize and Directory Server does
not start if the value of this attribute is invalid or refers to an inaccessible
file.

Default settings

off

Dependencies

Default password file, install-path/ds6/plugins/words-english-big.txt

POSTAL ADDRESS STRING SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Postal Address Syntax

DN of Configuration Entry

cn=Postal Address Syntax,cn=plugins,cn=config

Description

Syntax used for handling postal addresses.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

PTA PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Pass Through Authentication

DN of Configuration Entry

cn=Pass Through Authentication,cn=plugins, cn=config

Description

Enables pass-through authentication, the mechanism that allows
one directory to consult another to authenticate bind requests.

Configurable Options

on | off

Default Setting

off

Configurable Arguments

The LDAP URL to the configuration directory.

nsslapd-pluginarg0: ldap://config.example.com/o=example

Dependencies

None

REFERENTIAL INTEGRITY POSTOPERATION PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Referential Integrity Postoperation

DN of Configuration Entry

cn=Referential Integrity Postoperation, cn=plugins,cn=config

Description

Enables the server to ensure referential integrity.

All attributes in all databases that are used by the referential integrity
plug-in must be indexed. The indexes need to be created in the configuration
of all the databases. When the retro change log is enabled, the cn=changelog suffix must be indexed.

Configurable Options

All configuration and on | off

Default Setting

off

Configurable Arguments

When enabled, the post operation Referential Integrity plug-in
performs integrity updates on the member, uniquemember, owner, and seeAlso attributes
immediately after a delete or rename operation. You can reconfigure the plug-in
to perform integrity checks on all other attributes.

The following arguments are configurable:

(nsslapd-pluginarg0) Check for referential
integrity

-1 = no check for referential integrity

0 = check for referential integrity is performed
immediately

positive integer = request for
referential integrity is queued and processed at a later stage. This positive
integer serves as a wake-up call for the thread to process the request, at
intervals corresponding to the integer specified.

(nsslapd-pluginarg1) Log file for storing
the change, for example /local/ds/logs/referint

Enable the referential integrity plug-in with the same configuration
on every master

Set the first argument to a positive value, such as 10,
meaning ten seconds, to ensure that work performed by this plug-in happens
asynchronously, rather than synchronously.

When enabling the plug-in, also create equality indexes for all attributes
configured for use with the plug-in. The plug-in uses such indexes when searching
for entries to update. Without equality indexes for the attributes it uses,
the plug-in must perform costly unindexed searches that have negative impact
on performance.

RETRO CHANGE LOG PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Retro Changelog Plugin

DN of Configuration Entry

cn=Retro Changelog Plugin,cn=plugins,cn=config

Description

Used by LDAP clients for maintaining application compatibility
with Directory Server 4.x versions.

Maintains a log of all changes occurring in Directory Server. The
retro change log offers the same functionality as the changelog in the 4.x
versions of Directory Server.

Configurable Options

on | off

Default Setting

off

Configurable Arguments

The following arguments can be configured for the retro change log plug-in:

nsslapd-pluginarg0: -ignore_attributesconfigures
the retro change log plug-in to ignore attributes specified by the following nsslapd-pluginarg. This argument is configured by default.

nsslapd-pluginarg1: copyingFromspecifies
a list of attributes to be ignored by the preceding nsslapd-pluginarg.
This argument is configured by default.

nsslapd-pluginarg2: suffixes="suffix1","suffix2" configures
the retro change log to record updates to specified suffixes only

nsslapd-pluginarg3: deletedEntryAttributes=attribute1,attribute2 configures the retro change log to record specified attributes
of an entry when that entry is deleted

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

STATE CHANGE PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

State Change Plugin

DN of Configuration Entry

cn=State Change Plugin,cn=plugins,cn=config

Description

State change notification service plug-in for detecting updates,
such as configuration changes, and triggering callbacks when updates happen.

This plug-in is used internally by the roles plug-in.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

SUBTREE ENTRY COUNTER PLUG-INS

Consider the following aspects of this plug-in.

Plug-In Name

Subtree Entry Counter For ObjectClass

DN of Configuration Entry

cn=Subtree Entry Counter for ObjectClass,cn=plugins, cn=config

Description

Maintain a count of entries with a particular object class.
The following plug-ins are provided.

Subtree entry counter for departments in domains

Subtree entry counter for domains within a domain

Subtree entry counter for mail lists

Subtree entry counter for nested departments

Subtree entry counter for total domains

Subtree entry counter for users

Configurable Options

on | off

Default Setting

off

Configurable Arguments

None

Dependencies

None

Performance Related Information

These plug-ins are provided for use with Messaging Server
only, and are disabled by default. Leave these plug-ins disabled unless your
Messaging Server requires them.

Counter Attributes Maintained

nsNumDepts

Either the number of departments within a domain, or the number
of departments within a department (nested departments), depending on the
DN of the entry.

nsNumDomains

Either the number of total domains, or the number of domains
within a domain or nested domain, depending on the DN of the entry.

nsNumMailLists

Number of mail lists.

TELEPHONE SYNTAX PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

Telephone Syntax

DN of Configuration Entry

cn=Telephone Syntax,cn=plugins,cn=config

Description

Syntax for handling telephone numbers.

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance Related Information

Do not modify the configuration of this plug-in. Leave this
plug-in running at all times.

UID UNIQUENESS PLUG-IN

Consider the following aspects of this plug-in.

Plug-In Name

UID Uniqueness

DN of Configuration Entry

cn=UID Uniqueness,cn=plugins,cn=config

Description

Checks that the values of specified attributes are unique
each time a modification occurs on an entry.

Configurable Options

on | off

Default Setting

off

Configurable Arguments

You may configure this plug-in in either of two different
ways.

Specify attributes that must be unique for a series of one
or more subtrees identified by DNs. For example, to specify that employeeNumber and uid attribute values must be unique across
both o=org1,dc=example,dc=com and o=org2,dc=example,dc=com , configure the arguments in the configuration entry as follows:

You specify attributes that must be unique inside congruent
subtrees, optionally only on entries of a specified object class. For example,
to specify that employeeNumber and uid attribute
values must be unique in either o=org1,dc=example,dc=com or o=org2,dc=example,dc=com, but only on entries of the inetOrgPerson object class, configure the arguments in the configuration entry
as follows: